Using smart cards or similar products can greatly enhance the security of a network and of individual workstations (including portable computers and those used for remote access). Ryan Faas shows you how to implement these alternatives to static usernames and passwords on the Macs in your network.

Like this article? We recommend

Systems administrators often need to strike a balance between password
policies that offer greater levels of security and policies that permit users to
choose passwords that are easy to remember. This can be a tricky balancing act:
If you force passwords with greater levels of security, users are likely to
forget them and continually need to call the help desk to have them reset or
write them down on a piece of paper kept at their desk (negating the security of
the pa). If you allow less-secure passwords, they can be easily guessed or
cracked. As users become more mobile, this becomes an even greater dilemma
because of the potential theft of portable computers or the inherent lack of
security when users access resources via unprotected Wi-Fi hotspots or home
Internet connections. VPN offers some protection for remote access, but in many
cases even VPN relies on passwords as the method of authenticating users and
granting remote access.

One solution to this conundrum is the use of token-based authentication such
as smart cards or one-time password tokens. Both of these technologies offer the
capability to beef up security by means of two factor authentication—which
requires a physical token as well as either a PIN number or a biometric evidence
to grant access. The requirement of a physical device as well as a secret code
or other identifying information such as a fingerprint greatly enhance security
because the password or PIN is essentially useless without the token, and the
token is useless without the PIN or user’s biometric evidence. Also,
because a token is a physical object, its absence will be noticed quickly if it
is lost or stolen (unlike a compromised username and password).

One-Time Password Solutions

One-time password solutions are devices (often referred to as tokens) that are used to enhance security. They are small devices that
have a microprocessor and LCD screen. Each token is seeded with a unique
encryption key from a server. The token uses that key to generate a unique
one-time password, either each time a user makes a login attempt or at a set
interval that is displayed on the LCD screen. To log in to the secured computer
or service, a user must enter a username that is associated with his or her
token, along with the one-time password displayed on the token and a PIN number
that is appended to the sequence of numbers displayed on the token. One-time
password solutions for Mac OS X and Mac OS X Server are available from
CryptoCard and RSA, although RSA’s solution is limited to VPN access.